dcoker inspec_如何在Ubuntu 18.04上使用InSpec审核PostgreSQL数据库

dcoker inspec

介绍 (Introduction)

InSpec is an open-source, automated testing framework for testing and auditing your system to ensure the compliance of integration, security, and other policy requirements. Developers can test the actual state of their infrastructure and applications against a target state using InSpec code.

InSpec是一个开放源代码的自动化测试框架，用于测试和审核系统，以确保集成，安全性和其他策略要求的合规性。 开发人员可以使用InSpec代码针对目标状态测试其基础结构和应用程序的实际状态。

To specify the policy requirements you’re testing for, InSpec includes audit controls. Traditionally, developers manually enforce policy requirements and often do this right before deploying changes to production. With InSpec however, developers can continuously evaluate compliance at every stage of product development, which aids in solving issues earlier in the process of development. The InSpec DSL (Domain Specific Language) built on RSpec, a DSL testing tool written in Ruby, specifies the syntax used to write the audit controls.

要指定要测试的策略要求，InSpec包括审核控件 。 传统上，开发人员手动执行策略要求，并且通常在将更改部署到生产之前会正确执行。 但是，借助InSpec，开发人员可以在产品开发的每个阶段不断评估合规性，从而有助于在开发过程中尽早解决问题。 基于RSpec (用Ruby编写的DSL测试工具)构建的InSpec DSL(特定于域的语言)指定用于编写审核控件的语法。

InSpec also includes a collection of resources to assist in configuring specific parts of your system and to simplify making audit controls. There is a feature to write your own custom resources when you need to define a specific solution that isn’t available. Universal matchers allow you to compare resource values to expectations across all InSpec tests.

InSpec还包括一组资源，以帮助配置系统的特定部分并简化进行审核控制的过程。 当您需要定义不可用的特定解决方案时，有一项功能可以编写您自己的自定义资源。 通用匹配器使您可以将所有InSpec测试中的资源值与期望值进行比较。

In this tutorial, you’ll install InSpec on a server running Ubuntu 18.04. You will start by writing a test that verifies the operating system family of the server, then you’ll create a PostgreSQL audit profile from the ground up. This audit profile starts by checking that you have PostgreSQL installed on the server and that its services are running. Then you’ll add tests to check that the PostgreSQL service is running with the correct port, address, protocol, and user. Next you’ll test specific PostgreSQL configuration parameters, and finally, you’ll audit client authentication configuration.

在本教程中，您将在运行Ubuntu 18.04的服务器上安装InSpec。 您将首先编写一个验证服务器操作系统家族的测试，然后从头开始创建一个PostgreSQL审核配置文件。 该审核配置文件首先检查服务器上是否已安装PostgreSQL，并且其服务正在运行。 然后，您将添加测试以检查PostgreSQL服务是否以正确的端口，地址，协议和用户运行。 接下来，您将测试特定的PostgreSQL配置参数，最后，您将审核客户端身份验证配置。

先决条件 (Prerequisites)

Before following this tutorial, you will need the following:

在学习本教程之前，您需要满足以下条件：

• One Ubuntu 18.04 server, set up by using the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user and a firewall.

  一台Ubuntu 18.04服务器，通过使用带有Ubuntu 18.04的初始服务器设置进行设置 ，包括sudo非root用户和防火墙。

• A working PostgreSQL 10 installation, following this installation guide.

  遵循本安装指南进行有效的PostgreSQL 10安装。

第1步-准备环境 (Step 1 — Preparing the Environment)

In this step, you’ll download and unpack the latest stable version of InSpec into your home directory. InSpec provides installable binaries on their downloads page.

在此步骤中，您将下载InSpec的最新稳定版本并将其解压缩到主目录中。 InSpec在其下载页面上提供了可安装的二进制文件。

Navigate to your home directory:

导航到您的主目录：

• cd ~
  光盘〜

Now download the binary with curl:

现在使用curl下载二进制文件：

• curl -LO https://packages.chef.io/files/stable/inspec/3.7.11/ubuntu/18.04/inspec_3.7.11-1<^>_amd64.deb

  curl -LO https://packages.chef.io/files/stable/inspec/ 3.7.11 / ubuntu / 18.04 / inspec_ 3.7.11-1 <^> _ amd64.deb

Next, use the sha256sum command to generate a checksum of the downloaded file. This is to verify the integrity and authenticity of the downloaded file.

接下来，使用sha256sum命令生成下载文件的校验和。 这是为了验证下载文件的完整性和真实性。

• sha256sum inspec_3.7.11-1_amd64.deb

  sha256sum inspec_3.7.11-1_amd64.deb

Checksums for each binary are listed on the InSpec downloads page, so visit the downloads page to compare with your output from this command.

InSpec下载页面上列出了每个二进制文件的校验和，因此，请访问下载页面以与该命令的输出进行比较。

   
   
   

    
    
    Output
   
   
   
e665948f9c0441e8648b08f8d3c8d34a86f9e994609877a7e4853c012dbc7523 inspec_3.7.11-1_amd64.deb

If the checksums are different, delete the downloaded file and repeat the download process.

如果校验和不同，请删除下载的文件并重复下载过程。

Next, you’ll install the downloaded binary. For this, you’ll use the dpkg command that you can use for package management, and which comes with all Debian-based systems, such as Ubuntu, by default. The -i flag prompts the dpkg command to install the package files.

接下来，您将安装下载的二进制文件。 为此，您将使用dpkg命令，该命令可用于软件包管理，并且默认情况下，所有基于Debian的系统(例如Ubuntu)都附带该命令。 -i标志提示dpkg命令安装软件包文件。

• sudo dpkg -i inspec_3.7.11-1_amd64.deb

  须藤dpkg -i inspec_3.7.11-1_amd64.deb

If there are no errors, it means that you’ve installed InSpec successfully. To verify the installation, enter the following command:

如果没有错误，则表明您已成功安装InSpec。 要验证安装，请输入以下命令：

• inspec version
  检查版本

You’ll receive output showing the version of InSpec you just installed:

您将收到显示刚刚安装的InSpec版本的输出：

   
   
   

    
    
    Output
   
   
   
3.7.11

If you don’t see a version number displayed, run over step 1 again.

如果没有显示版本号，请再次执行步骤1。

After this, you can delete inspec_3.7.11-1_amd64.deb since you don’t need it anymore as you’ve installed the package:

之后，您可以删除inspec_3.7.11-1_amd64.deb因为在安装软件包后不再需要它：

• rm inspec_3.7.11-1_amd64.deb

  rm inspec_3.7.11-1_amd64.deb

You’ve successfully installed InSpec on your server. In the next step, you will write a test to verify the operating system family of your server.

您已经在服务器上成功安装了InSpec。 在下一步中，您将编写测试以验证服务器的操作系统系列。

第2步-完成您的第一个InSpec测试 (Step 2 — Completing Your First InSpec Test)

In this step, you’ll complete your first InSpec test, which will be testing that your operating system family is debian.

在此步骤中，您将完成第一个InSpec测试，该测试将测试您的操作系统家族是debian 。

You will use the os resource, which is a built-in InSpec audit resource to test the platform on which the system is running. You’ll also use the eq matcher. The eq matcher is a universal matcher that tests for the exact equality of two values.

您将使用os资源(这是内置的InSpec审核资源)来测试运行系统的平台。 您还将使用eq匹配器。 eq匹配器是一个通用匹配器，用于测试两个值的确切相等性。

An InSpec test consists of a describe block, which contains one or more it and its statements each of which validates one of the resource’s features. Each statement describes an expectation of a specific condition of the system as assertions. Two keywords that you can include to make an assertion are should and should_not, which assert that the condition should be true and false respectively.

InSpec测试由一个describe块组成，它包含一个或多个it以及its语句，每个语句都可以验证资源的功能之一。 每个语句都将对系统特定条件的期望描述为断言 。 您可以包括两个关键词来进行断言， should和should_not ，它们分别声明条件应该为true和false。

Create a file called os_family.rb to hold your test and open it with your text editor:

创建一个名为os_family.rb的文件来保存测试，并使用文本编辑器将其打开：

• nano os_family.rb

  纳米os_family.rb

Add the following to your file:

将以下内容添加到您的文件中：

os_family.rb

os_family.rb

describe os.family do
  it {should eq 'debian'}
end

This test ensures that the operating system family of the target system is debian. Other possible values are windows, unix, bsd, and so on. You can find a complete list in the os resource documentation. Save and exit the file.

该测试确保目标系统的操作系统家族是debian 。 其他可能的值是windows ， unix ， bsd等。 您可以在os资源文档中找到完整列表。 保存并退出文件。

Next, run your test with the following command:

接下来，使用以下命令运行测试：

• inspec exec os_family.rb

  检查执行os_family.rb

The test will pass, and you’ll receive output resembling the following:

测试将通过，并且您将收到类似于以下内容的输出：

   
   
   

    
    
    Output
   
   
   
Profile: tests from os_family.rb (tests from os_family.rb)
Version: (not specified)
Target:  local://

  debian
     ✔  should eq "debian"

Test Summary: 1 successful, 0 failures, 0 skipped

In your output, the Profile contains the name of the profi